Windows Product Activation: an early look

Paedia

Introduction

I've received an astounding amount of e-mail regarding Windows Product Activation, aka WPA. We have not had any official correspondence with Microsoft. Still, several very reliable sources have provided us with many interesting details concerning WPA. It should be made clear here at the outset that none of this information is guaranteed true, and even if it were true right now, it's surely subject to change. Microsoft may even simply be testing the waters on how far the consumer base will allow then to tighten the licensing reigns. Still, we believe that this information is viable enough to present to you, so here it is. For those of you who deny that Microsoft has any plans for an integrated copy protection system, first see their press release.

What is WPA?

Windows Product Activation, aka. WPA, will be integrated into all versions of Windows XP (the next version of Windows 2000), save DataCenter and volume-based licensed materials (e.g., for licensing Universities, Select partners, etc.). If WPA is in your copy of Windows XP, you'll have 30 days to activate the product using either the Internet or a phone-in system. Sources assure us that the phone-in system will be fast, and independent from Microsoft Support. Most people, either via dialup or LAN connections, will simply activate Windows XP seamlessly (hopefully) over the net.

How does it work? The pedestrian explanation is as follows: you, the user, enter your Product ID code at installation, just as before. When contacting Microsoft, you will provide that Product ID code and a "hardware code" generated by WPA. Taking these two numbers, Microsoft will then issue you another ID, and it's this ID that will activate Windows. According to several sources, the final ID and your country name are all that are required to activate Windows. This means that WPA is not a ploy to gather personal information about you. Product registration isseparate from activation. Activation will not require your name, address, etc., and registration will be optional as always.

If you fail to activate Windows after 30 days, your machine will only boot into the WPA interface. Sources say that you cannot boot into safe mode, or bypass the WPA in any way. Furthermore, WPA is reportedly going to include a tampering-detection scheme, which in the event of tampering with install dates, IDs, etc., will supposedly require a phone activation.

WPA is actually a hybrid of a few Microsoft Technologies. From early data received, it appears as though WPA is based upon "Desktop Licensing Technology," or DLT. DLT is the background component for the forthcoming Office Registration Wizard (ORW) to be included in Office 10. Office 10, now to be known as Office XP, will therefore operate the question more in-depth, we've got to see what we know about DLT.

DLT is as much an infrastructure as it is an API. DLT is the technology that supports both the transmission of product activation keys and unique system identifiers and the storage of those numbers. In a generic sense, the DLT infrastructure must look something like this: the user will normally connect to the Central ID storage system via the 'net. Still, phone support is available too, just in case your connection sucks, or is unavailable, or whatever. The phone support personnel will simply be connecting to the ID storage system for you, and will likely also carry special override powers in case of a problem (more on that in a bit). It is expected that Windows Terminal Services will be the communications API used for the User-to-CentralStorage connection. Needless to say, the Central ID Storage System will be on the 'net, not a private network. Given that, I suppose we'll see Microsoft paying a great deal of attention to the security aspects of Windows Terminal Services. Hopefully their solution will not be susceptible to the same kind of massive outage experienced recently.

Once connected to the system, the system will check your Product ID (and Hardware ID if this is a return visit) against a database. In doing so, sources say that the system will be interested mainly in 5 things: what kind of product ID it is (OEM, off-the-shelf, etc.), if it is on a "blocked" list, if the HWID is within "tolerance" (more below), if the date and clock settings are accurate on your computer, and finally if a "refund" has been issued. This last item intrigues me. Does this imply that Microsoft will be giving refunds for unused software? In a sense, the WPA scheme works two ways: it shows when an OS license is in use, and when it's not. I suppose one could definitively prove that they were not using their pre-installed OS if it was never activated.

The important thing to note here is that, unlike in previous releases, product activation is now going to be an interactive experience, wherein the OS actually contacts Microsoft and attempts to discern if it's a valid installation. In a sense, it's almost analogous to the hardware keys that are given out to people who purchase multi-thousand dollar software. The difference now is that the OS, rather than query a device on COM 2, now queries a central storage system run by Microsoft. If the Product ID is sent off to Microsoft from two different computers, it's going to notice this, and deny the registration. Microsoft's method of discerning one computer from another relies on the Hardware ID generated by the OS.

As for most enthusiasts, the Hardware ID (HWID) makes us nervous. How many times can I upgrade my box before having to re-register or buy another copy of Windows? What on earth can hardware review sites like Ars do about testing hardware? What we've been able to gather so far doesn't look promising.